repudiating non-repudiation

One of the most frequently sited benefits of public-key based digital signatures is that they are theoretically non-repudiable. Unlike conventional cryptography, where the same key is used to encrypt and decrypt, public key crypto uses a pair of keys: one that encrypts and one that decrypts. The advantage of this is that the originator can create a key pair, keep one key private and make the other public. When the holder of a private key encrypts a document with the private key, people can verify the that the encrypted document came from the holder by simply decrypting it with the public key from the key pair. In practice, digital signatures are a bit more complicated, but that’s the core of it.

With conventional crypto, the encrypter would be able to deny having encrypted the message: the sender has to know the encryption key in order to decrypt it, so they might also have been the one to encrypt the document. With public key crypto, the holder can’t deny having creating the encrypted document — only they have the private key, after all. Very cool, right?

Unfortunately, that’s just the theory. The practice is significantly less elegant.

To turn the theory into practice, your ability to rely on non-repudiation hangs on your ability to do three things right: implement the technology, put in place proper business practices and agreements, and make your case in court.

So, there are three questions you should ask: Relative to other means, how much does using digital signatures lower my risk over other technologies? how much will it cost me to setup up and operate a the business end? how will my chances in court be affected?

If you’re not put off by your answers to the first two questions, then you should definitely take a long, hard look at the third question. While the signer may not be able to deny that their private key was used to sign the document, they may be able to repudiate the signature on a host of other grounds: They didn’t keep their key secure and someone stole it; they didn’t understand their obligation under their user agreement to keep the key secure; they didn’t understand what authority they had granted signatures generated with their private key, etc.

I suspect you’d have better luck enforcing an agreement built around usernames and passwords than you would one built around private keys and digital signatures. So, what technology would give you the biggest return (reduction of risk) on your investment?

The theory of non-repudiation is great, in practice, it tries to do something that is unnatural: it tries to transfer all the risk of a transaction to one party — the signer. My bet is that you get better returns by accepting a more natural distribution of risk.